[CVE-2008-2230] Arbitrary code execution by preparing module files in os.curdir

Bug #239124 reported by Till Ulen
254
Affects Status Importance Assigned to Milestone
reportbug (Debian)
Fix Released
Unknown
reportbug (Ubuntu)
Fix Released
Undecided
Daniel Hahler
reportbug-ng (Debian)
Fix Released
Unknown
reportbug-ng (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: reportbug

CVE-2008-2230 description:

"Untrusted search path vulnerability in (1) reportbug 3.8 and 3.31, and (2) reportbug-ng before 0.2008.06.04, allows local users to execute arbitrary code via a malicious module file in the current working directory."

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2230

Debian reportbug bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484311
Debian reportbug-ng bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484474

Related branches

CVE References

Changed in reportbug:
status: Unknown → Fix Released
Changed in reportbug-ng:
status: Unknown → Fix Released
Daniel Hahler (blueyed)
Changed in reportbug:
assignee: nobody → blueyed
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.1 KiB)

This bug was fixed in the package reportbug - 3.41ubuntu1

---------------
reportbug (3.41ubuntu1) intrepid; urgency=low

  * Merge from Debian unstable. Remaining Ubuntu specific changes:
    - reportbug.conf:
      - "bts ubuntu"
      - "smtphost fiordland.ubuntu.com":
        Added the fiordland.ubuntu.com SMTP server in reportbug.conf so
        that reportbug works without a MTA.
    - reportbug_submit.py: only display ubuntu-users specific message if
      BTS "ubuntu" is used in send_report.
    - reportbug.1: mention Ubuntu specific changes (LP: #163924)
  * Fixes LP: #239124, #204009

reportbug (3.41) unstable; urgency=high

  [ Sandro Tosi ]
  * Security bugfix release, hence urgency is set to high
  * querybts, reportbug_submit.py
    - os.curdir is not added to sys.path anymore, thanks to Thomas Arendsen
      Hein <email address hidden> for the report; Fixes: CVE-2008-2230;
      Closes: #484311

  [ Chris Lawrence ]
  * debian/control
    - Added self to Uploaders
    - Set Maintainer to new list on alioth.

  [ Y Giridhar Appaji Nag ]
  * debianbts.py
    - Remove kde, ximian (and helixcode) and mandriva, they use bugzilla
    - Remove grml, they use roundup
  * --body-file doesn't allow preview of report, don't suggest using it with
    saved files. Thanks Shai Berger <email address hidden> for the bug report
    (Closes: #484245)
  * remove calls to sys.path.append('/usr/share/reportbug') from reportbug

reportbug (3.40) unstable; urgency=low

  [ Sandro Tosi ]
  * debian/control
    - added Giridhar and me to Uploaders
    - added "DM-Upload-Allowed: yes"
    - bump Standards-Version to 3.7.3
    - moved python-central to Build-Depends-Indep and version bump to >= 0.5.14
    - updated Conflicts with python-central version lower than 0.5.13 (Closes:
      #418166)
    - added Vcs-{Svn,Browser} fields
    - added Homepage field
  * debian/copyright
    - clear separation of author, copyright and license notices
  * debian/menu
    - section updated to "Applications/System/Administration"
  * debian/rules
    - removed export DH_COMPAT
    - now using binary-indep since it's and arch: all package
    - doesn't remove 'test' dir anymore, since now it's used for unittests
      files
  * debian/compat
    - added with value = 5
  * reportbug.conf.5, po4a/add_fr/{reportbug.add,querybts.add}
    - escaped minus sign to be an hyphen
  * reportbug.ja.1
    - fixed some formatting errors
  * debianbts.py
    - added 'nm.debian.org' pseudo-package, Giridhar's patch (Closes: #478414)
    - removed Gnome BTS from bugs forward; Giridhar's patch (Closes: #439351)
    - removed [cruft-report] option from ftp.debian.org RM template;
      Giridhar's patch (Closes: #474970)
    - reintroduced 'kernel' pseudo-package, but just to fall back to
      'linux-image' (Closes: #423197)
    - added 'wiki.debian.org', 'release.debian.org' and 'spam' pseudo-packages
  * reportbug.py
    - uses dpkg when dlocate can't find the package's file (Closes: #429824,
      #422369, #322983, #408834)
  * reportbug.el
    - applied patch to let Gnus work; thanks to Håkon Stordahl for it (Closes:
      #227153)
  * reportbug
    - explained how to reuse a saved fil...

Read more...

Changed in reportbug:
status: In Progress → Fix Released
Kees Cook (kees)
Changed in reportbug-ng:
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu which no longer receives updates outside of the explicitly supported LTS packages. While this bug is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in reportbug-ng (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.